Symantec Endpoint Encryption clients fail to check in if the credentials of the Client Authentication Account change
search cancel

Symantec Endpoint Encryption clients fail to check in if the credentials of the Client Authentication Account change

book

Article ID: 152429

calendar_today

Updated On:

Products

Endpoint Encryption Drive Encryption Desktop Email Encryption Encryption Management Server File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

This article will describe which options to pursue when the clients stop checking in due to client credentials changing. 

Environment

Symantec Endpoint Encryption 11.0 and above.

Resolution

You can check the username and domain name of the IIS Client Authentication Account by navigating to this registry location on the client:

HKEY_LOCAL_MACHINE\SOFTWARE\Encryption Anywhere\Framework\Client Database

Check the values of the following registry keys:

  1. AccountName - the username of the IIS Client Authentication Account.
  2. AccountDomain - the Windows domain name of the IIS Client Authentication Account.

You will need to check whether the password has expired or has been changed using Active Directory.

 

If you find the credentials for the accounts mentioned were changed, it's typically necessary to deploy a new client if you are not on SEE 12.0.1 and not already using OAuth.

If you have not yet started to use OAuth, the credentials need to be properly configured on the SEE Client for communication to resume.  If they are not, it's best to create a new SEE 12.0.1 client and deploy to each endpoint.

After the SEE Clients are deployed with 12.0.1, the windows credentials are no longer inbuilt to the client and OAuth is used going forward.

See the following KB for more information on OAuth and how to start taking advantage of this significant improvement!
240321 - OAuth Communications with Symantec Endpoint Encryption 11.4 and above


If you are not sure if using 12.0.1 is the best option for you, reach out to Symantec Encryption Support for further guidance because OAuth is the better option and should be used in favor of credentials. 

 

_____________________________________________________________________________________

 

 

 

 

Historical Information - The information below is provided for historical reference, but is no longer recommended as the preferred communication option in favor of OAuth communication.  

The Symantec Endpoint Encryption Installation Guide states that the IIS Client Authentication Account is a regular domain user account and does not require specific privileges. While this account needs only to be a member of the Domain Users security group, it should be treated as a service account and its password should be set to never expire

 

The account is used by the Endpoint Encryption clients to communicate with IIS in order to report in to the Endpoint Encryption Management Server. Changing it will mean that the clients can no longer check in with or be managed by the Endpoint Encryption Management Server. This is because the password of the Endpoint Encryption IIS Client Authentication Account is embedded in the Endpoint Encryption *.msi installation files.

During the Endpoint Encryption Client generation process, you must enter valid credentials for the Client Authentication Account. This will embed the credentials needed in order to authenticate to the Endpoint Encryption Management Server.

Symantec does not not recommend changing these credentials as this will cause client-server communications to fail.

If your organization's policies require that you change the Endpoint Encryption IIS Client Authentication Account password periodically, please be aware that you will need to generate updated *.msi installation files and reinstall the application to the existing endpoints.

Workaround:
If the IIS password has been changed, or it is a password that is no longer known, Anonymous Authentication can be enabled in IIS in order to allow deployed SEE Clients to communicate with the SEE Management Server.  Once the SEE Clients are communicating, it is possible to then issue the "Change Web Access server command" on the SEE Management Server and once the clients receive this update will start to communicate using the new password.

Once all the SEE Clients are communicating with the new password, you can then disable Anonymous Authentication and re-enable Windows Authentication and then check that all clients continue to check in.

New Feature: Beginning with SEE 11.4, a new authentication type called OAuth was introduced which uses tokens embedded in the client for authentication with the server. This new feature avoids using credentials to authenticate entirely and can be used to avoid SEE IIS Authentication password issues. More information about this feature and how to configure it is the article "OAuth Communications with Symantec Endpoint Encryption 11.4 and above".

Additional Information

Etrack: 4240950